AD DS: User accounts and trusts in this domain should not be configured for DES only

Updated: August 31, 2012

Applies To: Windows Server 2008 R2, Windows Server 2012

This topic is intended to address a specific issue identified by a Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the Active Directory Domain Services Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see Best Practices Analyzer.

A user account or trust for this domain is configured for Data Encryption Standard (DES) only. DES is considered weak cryptography and is no longer enabled by default in Kerberos authentication in Windows 7 and Windows Server 2008 R2.

At one time the user account or trust was running on an operating system, Java platform, or Kerberos version that did not support RC4. Therefore, the account was changed to support DES only. This also applies to trusts with older, non-Windows Kerberos realms. Even if the operating system or platform was upgraded to support RC4 or Advanced Encryption Standard (AES), the account does not update automatically and is still using only DES.

Another possible issue is that an application could have hard-coded Kerberos encryption types.

Removing the encryption type that a service account supports can break a client application that uses the account. Test any potential changes you might have to make before you apply the following guidance.

If the computer that hosts the account is running a recent version of a non-Windows operating system or Java platform, removing the DES-only property from the user account allows other encryption types to be used. If the account was created before the domain functional level was Windows Server 2008, two things must be done to support AES:

Change the service account password to create an AES key.

Set AES 128-bit and 256-bit encryption support for the service account.

If the computer is running an old, non-Windows operating system or Java platform, determine whether at least RC4 is supported. Most Kerberos platforms have supported RC4 for several years.

If RC4 is supported, remove the DES-only property from the account to allow RC4 to be used.

If RC4 or AES is not supported, consider upgrading to a recent version of the platform.

If an upgrade is not available, contact the Kerberos platform vendor to ask if alternatives with stronger cryptography are possible.

If you must enable DES, enable DES on all client computers, the service's computer, and all domain controllers in the service account's domain. After the Kerberos platform is upgraded to a version that supports RC4 or AES, disable DES on the on all client computers, the service's computer, and all domain controllers in the service account's domain.

If the application or service has a hard-coded DES Kerberos encryption type:

Contact the application or service vendor to determine whether newer versions of the product support RC4 or AES.

If an upgrade is not available, ask if alternatives with stronger cryptography are possible.

If you must enable DES, enable DES on all client computers, the service account's computer, and all domain controllers in the service account's domain. After the application or service is upgraded to a version that supports RC4 or AES, disable DES on all client computers, the service's computer, and all domain controllers in the service account's domain.

Membership in Domain Admins, or equivalent, is the minimum required to complete these procedures. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477).

Log on to an administrative workstation that has Active Directory Domain Services Tools installed. Active Directory Domain Services Tools are installed by default on domain controllers and they are also included with the Remote Server Administration Tools. For more information about how to obtain Remote Server Administration Tools, see Additional references.

Click Start, point to Administrative Tools, and then click Active Directory Users and Computers.

Navigate to the organizational unit (OU) where the user account is stored. By default, user accounts are created in the Users container.

Right-click the user account, and then click Properties.

Select the Account tab.

Clear the Use Kerberos DES encryption types for this account check box.